Dear all,
I have a zone local.grf.hr administered by AD, DHCP and DDNS ran by
Windows Server 2016
(not by my architectural choice). However, since Windows Server 2016 had
round-robin
strategy of inquiring the forwarders, it performed worse than BIND9 on
old Debian server.
So, I had the BIND9 as the secondary server ("slave" is somewhat
politically incorrect) and I
wanted to secure transactions with TSIG HMAC-SHA256 or stronger, as
between Debian
BIND9 servers.
I've been Googling around, and they say it cannot be done, because
Windows Server uses
special proprietary GSS-TSIG. The article was for an earlier version of WS.
Has there been some improvement in the meantime?
We are thinking about moving DHCP server to Linux, but it is a huge job
to convert the
reservations, so it may not be done in the next couple of months.
I would like to secure DNS xfers from zone poisoning in the meantime,
considering the recent
surge of cyber attacks since the recent war started, and our country
voted support for the
defending party.
Frankly, I am not in deep with Microsoft DNS, and I guess there can be
some tweaking with
the PowerShell, and maybe even some undocumented features, but right now
I am presented
with a problem I can't seem to solve because it is not an open system.
Thanks for any help.
Kind regards,
Mirsad Todorovac
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
